NZ Records of 


NATIONAL RECORDS OF SCOTLAND 

NATIONAL RECORDS OF SCOTLAND TERMS AND CONDITIONS 4 (NRSTC4) 
CONDITIONS OF CONTRACT FOR THE SUPPLY OF GOODS (AND ANY RELATED 
SERVICES) 


These Conditions may only be varied with the written agreement of the 
Purchaser. No terms or conditions put forward at any time by the Supplier shall 
form any part of the Contract unless specifically agreed in writing by the 
Purchaser. 
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1. CONDITIONS 


In these Conditions: 


“Contract” means the contract between the Purchaser and Supplier consisting of the 
Supplier's tender and the Purchaser's acceptance thereof (or the Supplier's 
acceptance of the Purchaser's order for the goods, as the case may be) together with 
any documents referred to in them, including the Specification and these Conditions 
and the Schedule annexed; 

“Data Controller”, “Data Processor”, “Data Subject’, “Personal Data” and “Data 
Subject Access Requests” have the meanings given in the Data Protection Laws; 


“Data Protection Laws” means any Law, statute, subordinate legislation regulation, 
order, mandatory guidance or code of practice, judgment of a relevant court of Law, or 
directives or requirements of any regulatory body which relates to the protection of 
individuals with regard to the processing of Personal Data to which a Party is subject 
including the Data Protection Act 2018 and any statutory modification or re-enactment 
thereof and the KKGDPR; 


“Goods” means any such goods as are to be supplied to the Purchaser by the 
Supplier (or by any of the Supplier's sub-contractors) pursuant to or in connection with 
this Contract; 


‘Good Industry Practice’ means standards, practices, methods and procedures 
conforming to legal and regulatory requirements and the degree of skill and care, 
diligence, prudence and foresight which would reasonably and ordinarily be expected 
froma skilled and experienced person or body engaged in a similar type of 
undertaking as the Supplier under the same or similar circumstances. 


“Information Commissioner” means the Commissioner as set out in Part 5 of the Data 
Protection Act 2018. 


“Intellectual Property Rights” means all copyright, patent, trademark, design right, 
database right and any other right in the nature of intellectual propertywhether or not 
registered, in any materials or works in whatever form (includingbut not limitedto any 
materials stored in or made available by meansof aninformation technology system and 
the computer software relating thereto) which are created, producedor developed in 
connection with this Contract by or onbehalf of the Supplier; 


“Law’ means: 

(a) any applicable statute or proclamation or any delegate or subordinate legislation; 
(b) any enforceable right forming part of retained EU law within the meaning of the 
European Union (Withdrawal) Act 2018; 

(c) any applicable guidance, direction, determination, or regulations with which the 
Purchaser and/or the Service Provider is bound to comply; 

(d) any applicable judgment of a relevant court of lawwhich is a binding precedent in 
Scotland; and 

(e) and requirements of any regulatory body; 


in each case in force during the period of the Contract in Scotland. 


“Premises” means the location where the services are to be performed as specified in 
the Contract or Purchase Order; 
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“Processing” has the meaning given in the Data Protection Laws and cognate 
expressions shall be construed accordingly; 


“Purchaser” means the Registrar General of Births, Deaths and 
Marriages for Scotland; 


“Purchase Order” means the documentsetting out the Purchaser's requirements for 
the Contract; 


“Schedule” means a schedule annexed to and forming part of these conditions: 


“Services” means the services provided as specified in the contractincluding (but not 
restricted to) installation of goods and shall, where the context so admits, include any 
materials, articles and goods to be suppliedin connection with any such services; 


“Supplier” means the person, firm or company to whom the Contract is issued; 
“Third country” means a country or territory outside the United Kingdom. 


“UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the 
Council of 27th April2016 onthe protection of natural persons with regard to the processing 
of Personal Data and on the free movement of such data (General Data Protection 
Regulation) as itforms part of the law of England and Wales, Scotland and Northern Ireland 
by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by 
the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) 
Regulations 2019. 


2. THE GOODS 


2.1 The Goods shall be to the reasonable satisfaction of the Purchaser and shall 
conform in all respects with any particulars specified in the Contract and in any 
variations thereto. 


2.2 | The Goods shall conformin all respects with the requirements of any statutes, orders, 
regulations or bye-laws from time to time in force. 


2.3 The Goods shall be fit and sufficient for the purpose for which such goods are 
ordinarily used and for any particular purpose made known to the Supplier by the 
Purchaser and the Purchaser relies on the skill and judgement of the Supplier in the 
supply of the Goods and the execution of the Contract. 


3. THE PRICE 


3.1 The price of the Goods and any related Services shall be as stated in the Contract 
and no increase will be accepted by the Purchaser unless agreed by the Purchaser in 
writing before the commencement of performance of the Contract. 


3.2.1 Unless otherwise agreed in writing by the Purchaser, the Supplier shall render a 
separate invoice in respect of each consignment delivered under the Contract. 
Payment shall be due 30 days after receipt of the Goods or the correct invoice 
therefor, whichever is the later. 


3.2.2 In this Condition 3, ‘invoice’ includes an electronic invoice meeting all the 
requirements set out in regulation 70A of the Public Contracts (Scotland) 
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Regulations 2015 or regulation 44A of the Concession Contracts (Scotland) 
Regulations 2016. 


3.3 Value Added Tax, where applicable, shall be shown separately on all invoices as a 
strictly net extra charge. 


3.4 Notwithstanding Condition 25 (Assignation and sub-contracting) of this Contractthe 
Supplier may assign to another person (an "assignee") the right to receive payment of 
the Price or any part thereof due to the Supplier under this Contract subject to (i) 
deduction of sums in respect of which the Purchaser exercises its right of recovery 
under Condition 24 (Recovery of sums due) of this Contract and (ii) all the related 
rights of the Purchaser under this Contract in relation to the recovery of sums due but 
unpaid. The Supplier shall notify or procure that any assignee notifies the Purchaser of 
any variations to the arrangements for payment of the Price or for handling invoices, in 
each case in good time to enable the Purchaser to redirect payments or invoices 
accordingly. In the absence of such notification the Purchaser shall be under no 
obligation to vary the arrangements for payment of the Price or for handling invoices. 


4. CHANGE TO CONTRACT REQUIREMENTS 


4.1 The Purchaser may order any variation to any quantity or specification of goods or 
to any part of the Services that for any other reason shall in the Purchaser's opinion 
be desirable. Any such variation may include (but shall not be restricted to) 
additions, omissions, alterations, substitutions to the Goods or Services and 
changes in quality, form, character, kind, timing, method or sequence of the delivery 
of Goods or provision of Services. 


4.2 Save as otherwise provided herein, no variation of the specification of Goods or 
of the Services as provided for in Condition 4.1 hereof shall be valid unless given or 
confirmed in the form of an order given by the Purchaser. All such orders shall be 
given in writing provided that if for any reason the Purchaser shall find it necessary to 
give any such order orally in the first instance the Supplier shall comply with such oral 
order which must be confirmed in writing by the Purchaser within 2 working days of 
the giving of such oral order by the Purchaser, failing which the variation made by 
such oral order shall cease to have effect on the expiry of the said 2 working day 
period. 


4.3 Where any such change in quality or specifications of Goodsor variation of the 
Services made in accordance with Conditions 4.1 and 4.2 has affected or may affect 
the costs incurred by the Supplier delivering the Goods or providing the Services, the 
Supplier will notify the Purchaser in writing of the effect which it has had or may have 
on the said costs and such notification shall be considered by the Purchaser, who 
shall take all of the facts into account (including such information as may be provided 
by the Supplier in respect of the effect which such variation has had or may have on 
the costs incurred by the Supplier in providing the Goods or Service) and may 
authorise such alteration to the sums to be paid to the Supplier in accordance with the 
provisions of the Contract as are, in the Purchaser’s opinion, appropriate and 
reasonable in the circumstances. 


5: INSPECTION OF PREMISES AND NATURE OF SERVICES 


5.1 The Supplier is deemed to have inspected the Premises before tendering so as to 
have understood the nature and extent of the Services to be carried out and is 
deemed to be satisfied in relation to all matters connected with the Services and 
Premises. 
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5.2 


5.3 


6.1 


6.2 


6.3 


6.4 


6.5 


6.6 


6.7 


6.8 


6.9 
6.10 


6.11 


The Purchaser shall, at the request of the Supplier, grant such access as may be 
reasonable for this purpose. 


Unless otherwise specified, the Supplier shall provide all plant, tools, material, labour, 
haulage and any other things necessary to complete the Contract. 


SECURITY AND ACCESS TO THE PURCHASER’S PREMISES 


Any access to, or occupation of, the Purchasers premises which the Purchaser may 
grant the Supplier from time to time is on a non-exclusive licence basis free of charge. 
The Supplier must use the Purchaser’s premises solely for the purpose of performing 
its obligations under the Contract and must limit access to the Purchaser’s premises 
to such individuals as are necessary for that purpose. 


The Supplier must comply with the Purchaser’s policies conceming Baseline 
Personnel Security Standard checks and such modifications to those policies or 
replacement policies as are notified to the Supplier from time to time. 


The Supplier must notify the Purchaser of any matter or other change in 
circumstances which might adversely affect future Baseline Personnel Security 
Standard clearance. 


At the Purchaser’s written request, the Supplier must provide a list of the 

names and addresses of all persons who may require admission tothe Purchaser’s 
premises in connection with the Contract, specifying the capacities in which they are 

concerned with the Contract and giving such other particulars as the Purchaser may 

reasonably request. 


The Supplier must ensure that any individual Supplier Representative entering the 
Purchaser’s premises has completed the process for obtaining Baseline Personnel 
Security Standard clearance. The Supplier acknowledges that the Purchaser has the 
right to deny entry to any individual that has not completed the process for obtaining 
Baseline Personnel Security Standard clearance. 


In accordance wih the Purchaser’s policies concerning visitor access, entry to the 
Purchaser’s premises may be granted to individual Supplier Representatives for the 
purposes of meetings, notwithstanding that the process for obtaining Baseline 
Personnel Security Standard clearance has not commenced or completed. 


The Purchaser may, by notice to the Supplier, refuse to admit onto, or withdraw 
permission to remain on, the Purchaser’s premises any Supplier Representative whose 
admission or continued presence would, in the opinion of the Purchaser acting 
reasonably, be undesirable. 


The Purchaser must provide advice and assistance acting reasonably to the Supplier 
to facilitate the Supplier’s compliance with this Condition. 


All decisions of the Purchaser under this Condition are final and conclusive. 


Breach of this Condition 6 by the Supplier is a material breach for the 
purposes of Condition 23.2 (Termination). 


If cyber security requirements apply to this Contract: 
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6.11.1 then these are set out in a Schedule Part 2 (Cyber Security 
Requirements) to this Contract; and 


6.11.2 in that case the Supplier shall comply with the provisions of Schedule Part 2 
(Cyber Security Requirements) 


and this Condition 6.11 shall not apply where the Contract does not include a Schedule 
Part 2 (Cyber Security Requirements). 


“Baseline Personnel Security Standard” means the pre-employment controls for all civil 
servants, members of the Armed Forces, temporary staff and government contractors 
generally. 


“Supplier Representatives” means all persons engaged by the Supplierin the 
performance of its obligations under the Contract including: 


g its employees and workers (including persons employed by a third party 
but working for and under the control of the Supplier); 

7 its agents, suppliers andcarriers; and 

n any sub-contractors and sub-suppliers of the Supplier (whether approved 


under Condition 25 (Assignation and sub-contracting) or otherwise). 


7. SUPPLIER'S STATUS 


In carrying out any Services associated with the Contract the Supplier shall be acting as 
principal and not as the agent of the Purchaser. Accordingly: 


(a) the Supplier shall not (and shall procure that his agents and servants do not) 
say or do anything that might lead any other person to believe that the 
Supplier is acting as the agent of the Purchaser, and 


(b) nothing in this Contract shall impose any liability on the Purchaser in respect 
of any liability incurred by the Supplier to any other person but this shall not 
be taken to exclude or limit any liability of the Purchaser to the Supplier that 
may arise by virtue of either a breach of this Contract or any negligence on 
the part of the Purchaser, or the Purchasers staff or agents. 


8. SUPPLIER'S PERSONNEL 


8.1 The Supplier shall take the steps reasonably required by the Purchaser to prevent 
unauthorised persons being admitted to the Premises. If the Purchaser gives the 
Supplier notice that any person is not to be admitted to or is to be removed from the 
Premises or is not to become involved in or is to be removed from involvement in the 
performance of the Contract, the Supplier shall take all reasonable steps to comply 
with such notice and if required by the Purchaser the Supplier shall replace any 
person removed underthis Condition with another suitably qualified person and 
procure that any security pass issued to the person removed is surrendered. The 
giving of such notice by the Purchaser to the Supplier as aforesaid shall not entitle the 
Supplier to delay, suspend, terminate or withhold the performance of any of its 
obligation in terms of the Contract and it shall remain bound to timeously implement 
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8.2 


8.3 


8.4 


9.1 


9.2 


9.3 


10. 


10.1 


10.2 


its obligations in full, whether or not it complies with the terms of the said notice or 
otherwise. 


If and when instructed by the Purchaser, the Supplier shall give to the Purchaser a 
list of names and addresses of all persons who are or may be at any time 
concerned with the Services or any part of them specifying the capacities in which 
they are so concerned, and giving such other particulars and evidence of identity 
and other supporting evidence as the Purchaser may reasonably require. 


The decision of the Purchaser shall be final and conclusive as to whether any 
person is to be admitted to or is to be removed from the Premises or is not to 
become involved in or is to be removed from involvement in the performance of the 
Contract and as to whether the Supplier has furnished the information or taken the 
steps required of the Supplier by this Condition. 


The Supplier shall bear the cost of any notice, instruction or decision of the Purchaser 
under this Condition. 


DELIVERY 


The Supplier shall make no delivery of materials, plant or other things, nor 
commence any work on the Premises without obtaining the Purchaser's prior 
consent. The Supplier shall make delivery at a time agreed between the Supplier 
and Purchaser. 


The Goods shall be delivered to the place named in the Contract. Any access to 
premises and any labour and equipment that may be provided by the Purchaser in 
connection with delivery shall be provided without acceptance by the Purchaser of 
any liability whatsoever and the Supplier shall indemnify the Purchaser and the 
Crown in respect of any actions, suits, claims, demands, losses, charges, costs and 
expenses which the Purchaser or the Crown may suffer or incur as a result of or in 
connection with any damage or injury (whether fatal or otherwise) occurring in the 
course of delivery or installation to the extent that any such damage or injury is 
attributable to any act or omission of the Supplier or any of the Supplier’s 
sub-contractors. 


The time of delivery shall be of the essence and failure to deliver within the time 
promised or specified shall enable the Purchaser (at the Purchaser’s option) to 
release themselves from any obligation to accept and pay for the Goods and/or to 
cancel all or part of the Contract therefor, in either case without prejudice to the 
Purchaser’s other rights and remedies. 


ACCESS 


Where any access to the premises is necessary in connection with delivery or 
installation the Supplier and the Suppliers sub-contractors shall at all times comply 
with the reasonable requirements of the Purchaser's Head of Security. 


Access to the Premises shall not be exclusive to the Supplier but only such as shall 
enable the Supplier to carry out the Services concurrently with the execution of work 
by others. The Supplier shall co-operate with such others as the Purchaser may 
reasonably require. 
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10.38 The Purchaser shall have the power at any time during the progress of the 
Services to order in writing: 


(a) the removal from the Premises of any materials which in the opinion of the 
Purchaser are either hazardous, noxious or not in accordance with the 
Contract; 


(b) the substitution of proper and suitable materials; 


(c) the removal and proper re-execution notwithstanding any previous test thereof 
or interim payment therefor of any work which, in respect of material or 
workmanship, is notin the opinion of the Purchaser in accordance with the 
Contract. 


The Supplier shall comply forthwith with the terms of any such order. 


10.4 On completion of the Services the Supplier shall remove the Supplier’s plant, 
equipment and unused materials and shall clear away from the Premises all rubbish 
arising out of the Services and leave the Premises in a neat and tidy condition. 


11. | PROPERTY AND RISK 


Property and risk in the Goods shall without prejudice to any of the rights or remedies of the 
Purchaser (including the Purchaser's rights and remedies under Condition 13 (Inspection, 
etc.) hereof) pass to the Purchaser at the time of delivery. 


12. DAMAGE IN TRANSIT 


On dispatch of any consignment of the Goods the Supplier shall send to the Purchaser at the 
address for delivery of the Goods an advice note specifying the means of transport, the place 
and date of dispatch, the number of packages and their weight and volume. The Supplier 
shall free of charge and as quickly as possible either repair or replace (as the Purchaser shall 
elect) such of the Goods as may either be damaged in transit or having been placed in transit 
fail to be delivered to the Purchaser provided that: 


(a) in the case of damage to such Goods in transit the Purchaser shall within 
thirty days of delivery give notice to the Supplier that the Goods have been 
damaged; 


(b) in the case of non-delivery the Purchaser shall (provided that the 
Purchaser has been advised of the dispatch of the Goods) within 
10 days of the notified date of delivery give notice to the Su pplier thatthe 
Goods have not been delivered. 


13. INSPECTION, REJECTION AND GUARANTEE 


13.1 The Supplier shall permit the Purchaser or the Purchaser’s authorised 
representatives to make any inspections or tests of the Goods the Purchaser may 
reasonably require and the Supplier shall afford all reasonable facilities and 
assistance free of charge at the Suppliers premises. No failure to make complaint at 
the time of such inspection or tests and no approval given during or after such tests or 
inspections shall constitute a waiver by the Purchaser of any rights or remedies in 
respect of the Goods. 
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13.2 The Purchaser may by written notice to the Supplier reject any of the Goods 


which fail to meet the requirements specified in the contract. Such notice shall be 


given within a reasonable time after delivery to the Purchaser of Goods concerned. If the 
Purchaser shall reject any of the Goods pursuant to this Condition the Purchaser shall be 
entitled (without prejudice to his other rights and remedies) either: 


13.3 


13.4 


14. 


14.1 


14.2 


14.3 


15. 


(a) to have the Goods concerned as quickly as possible either repaired by the 
Supplier or (as the Purchaser shall elect) replaced by the Supplier with Goods 
which comply in all respects with the requirements specified herein; or 


(b) to obtain a refund from the Supplier in respect of the Goods 
concerned. 


The guarantee period applicable to the Goods shall be 12 months from the putting into 
service or 18 months from delivery of the Goods, whichever shall be the shorter 
(subject to any alternative guarantee arrangements agreed in writing between the 
Purchaser and the Supplier). If the Purchaser shall within such guarantee period or 
within 30 days thereafter give notice in writing to the Supplier of any defect in any of 
the Goods as may have arisen during such guarantee period under proper and normal 
use the Supplier shall (without prejudice to any other rights and remedies which the 
Purchaser may have) as quickly as possible remedy such defects (whether by repair 
or replacement as the Purchaser shall elect) without cost to the Purchaser. 


Any Goods rejected or returned by the Purchaser as described in paragraphs 
13.2 or 13.3 shall be returned to the Supplier at the Supplier's risk and expense. 


LABELLING AND PACKAGING 


The Goods shall be packed and marked in a proper manner and in accordance with 
the Purchaser's instructions and any statutory requirements and any requirements of 
the carriers. In particular the Goods shall be marked with the number of the Purchase 
Order (if any), the net, gross and tare weights, the name of the contents shall be 
clearly marked on each container and all containers of hazardous goods (and all 
documents relating thereto) shall bear prominent and adequate warnings. The 
Supplier shall indemnify the Purchaser and the Crown against all actions, suits, 
claims, demands, losses, charges, costs and expenses which the Purchaser or the 
Crown may suffer or incur as a result of or in connection with any breach of this 
Condition. 


All packaging materials will be considered non-returnable and will be destroyed 
unless the Supplier's advice note states that such materials will be charged for 
unless returned. The Purchaser accepts no liability in respect of the non-arrival at the 
Supplier's Premises of empty packages returned by the Purchaser unless the 
Supplier shall within ten days of receiving notice from the Purchaser that the 
packages have been dispatched notify the Purchaser of such non-arrival. 


The Supplier represents and warrants that the maximum use has been made of 
recycled materials in the manufacture of crates, pallets, boxes, cartons, cushioning 
and other forms of packing, where these fulfil other packing specifications. 


AUDIT 


The Supplier shall keep and maintain until 5 years after the Contract has been completed 
records to the satisfaction of the Purchaser of all expenditures which are reimbursable by the 
Purchaser and of the hours worked and costs incurred in connection with any employees of 
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the Supplier paid for by the Purchaser on a time charge basis. The Supplier shall on request 
afford the Purchaser or his representatives such access to those records as may be required 
by the Purchaser in connection with the Contract. 


16. | CORRUPT GIFTS OR PAYMENTS 


The Supplier shall not offer or give, or agree to give, to any employee or representative of the 
Purchaser any gift or consideration of any kind as an inducement or reward for doing or 
refraining from doing or for having done or refrained from doing, any act in relation to the 
obtaining or execution of this or any other contract with the Purchaser or for showing or 
refraining from showing favour or disfavour to any person in relation to this or any such 
Contract. The attention of the Supplier is drawn to the criminal offences created by the Bribery 
Act 2010. 


17. INTELLECTUAL PROPERTY RIGHTS 


17.1 All Intellectual Property Rights in any material, including (but not limited to) reports, 
guidance, specification, instructions, toolkits, plans, data, drawings, databases, 
patents, patterns, models, designs which are created or developed by the Supplier 
on behalf of the Purchaser for use, or intended use, in relation to the performance by 
the Supplier of its obligations under the Contract are hereby assigned to and shall 
vest in the Crown absolutely. 


17.2 Except as may expressly be provided for in the Contract, neither party acquires any 
interest in or license to use the other party’s Intellectual Property Rights owned or 
developed prior to or independently of the Contract. 


17.3 The Supplier must not infringe any Intellectual Property Rights of any third party in 
providing the Services or otherwise performing its obligations under the Contract. The 
Supplier shall indemnify the Purchaser against all actions, claims, demands, losses, 
charges, costs and expenses which the Purchaser may suffer or incur as a result of or 
in connection with any breach of this Condition 17.3. 


17.4 The provisions of this Condition 17 shall apply during the continuance of this 
Contract and after its termination howsoever arising. 


18. | HEALTH AND SAFETY 


18.1 The Supplier represents and warrants to the Purchaser that the Supplier is satisfied 
that all necessary tests and examinations have been made or will be made prior to 
delivery of the Goods to ensure that the Goods are designed and constructed so as 
to be safe and without risk to the health or safety of persons using the same, and that 
the Supplier has made available to the Purchaser adequate information about the use 
for which the Goods have been designed and have been tested and about any 
conditions necessary to ensure that when put to use the goods will be safe and 
without risk to health. 


18.2 The Supplier shall perform the Services in such a manner as to be safe and without 
risk to the health or safety of persons in the vicinity of the place where the Services 
are being performed (whether such persons are in the vicinity of the said place at the 
time when the Services are being performed or otherwise) and in such a manner as to 
comply with any relevant health and safety or other legislation (including Statutory 
Instrument, Orders, or Regulations made under the said legislation) and any 
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requirements imposed by a local or other regulatory authority in connection with the 
performance of services of the type supplied to the Purchaser, whether specifically or 
generally. 


18.3 With prejudice to the generality of paragraph 18.1 hereof, the Supplier shall 
indemnify the Purchaser and the Crown against all actions, suits, claims, demands, 
losses, charges, costs and expenses which the Purchaser or the Crown may suffer 
or incur as a result of or in connection with any breach of paragraphs 18.1 or 18.2 
hereof. 


19. INDEMNITY AND INSURANCE 


19.1 Without prejudice to any rights or remedies of the Purchaser (including the 
Purchaser's rights and remedies under Condition 13 (Inspection, etc.)) hereof) the 
Supplier shall indemnify the Purchaser andthe Crown against all actions, suits, 
claims, demands, losses, charges, costs and expenses which the Purchaser or the 
Crown may suffer or incur as a result of or in connection 
with any damage to property or in respect of any injury (whether fatal or otherwise) to 
any person which may result directly or indirectly from any defect in the Goods or the 
negligent or wrongful act or omission of the Supplier. 


19.2 The Purchaser shall indemnify the Supplier in respect of all claims, proceedings, 
actions, damages, fines, costs, expenses or other liabilities which may arise out of, or 
in consequence of, a breach of the Data Protection Laws where the breach is the 
direct result of the Supplier acting in accordance with the Purchaser’s specific written 
instructions. This indemnity provision shall not apply if the Supplier: 


(a) acts onthe Purchaser’s specific written instructions but fails to notify the 
Purchaser in accordance with Condition 31.11(c) of this Contract; 


(b) fails to comply with any other obligation under the Contract. 


19.3 The Supplier shall have in force and shall require any sub-Contractor to have in 
force: 


(a) employer's liability insurance in accordance with any legal 
requirements for the time being in force, and 


(b) public liability insurance for such sum and range of cover as the Supplier 
deems to be appropriate but covering at least all matters which are the subject 
of indemnities or compensation obligations under these Conditions in the sum 
of not less than £1 million for any one incident and unlimited in total, unless 
otherwise agreed by the Purchaser in writing. 


19.3 The policy or policies of insurance referred to in paragraph 19.2 shall be shown to 
the Purchaser whenever the Purchaser requests, together with satisfactory 
evidence of payment of premiums. 


20. DISCRIMINATION 


The Supplier must not unlawfully discriminate against any person within the meaning of the 
Equality Act 2010 in its activities relating to the Contract or any other contract with the 
Purchaser. 
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21. 


BLACKLISTING 


The Supplier must not commit any breach of the Employment Relations Act 1999 (Blacklists) 
Regulations 2010 or section 137 of the Trade Union and Labour Relations (Consolidation) Act 
1992, or commit any breach of the Data Protection Act 1998 by unlawfully processing Personal 
Data in connection with any blacklisting activities. 

Breach of this Condition is a material default which shall entitle the Purchaserto terminate 

the Contract 


22. 


22.1 


22.2 


22.3 


22.4 


22.5 


23. 


23.1 


OFFICIAL SECRETS ACTS, CONFIDENTIALITY, AND ACCESS TO 
GOVERNMENT INFORMATION 


The Supplier undertakes to abide and procure that the Supplier’s employees abide 
by the provisions of the Official Secrets Acts 1911 to 1989. 


The Supplier shall keep secret and not disclose and shall procure that the Suppliers 
employees keep secret and do not disclose any information of a confidential nature 
obtained by the Supplier by reason of the Contract except information which is in the 
public domain otherwise than by reason of a breach of this provision. 


All information related to the Contract with the Supplier will be treated as 
commercial in confidence by the parties except that: 


(a) The Supplier may disclose any information as required by Lawor 
judicial order to be disclosed. 


(b) The Purchaser may disclose any information as required by Lawor judicial 
order to be disclosed. Further, the Purchaser may disclose all information 
obtained by the Purchaser by virtue of the Contract to the Scottish or United 
Kingdom Parliament or any other department, office or agency of Her 
Majesty’s Government in Scotland or the United Kingdom, and their servants 
or agents. When disclosing such information to either the Scottish Parliament 
or the United Kingdom Parliament it is recognised and agreed by both parties 
thatthe Purchaser shall, if the Purchaser sees fit, disclose such information 
butis unable to impose any restrictions upon the information that the 
Purchaser provides to Members of the Scottish Parliament, (MSPs) or 
Members of the United Kingdom Parliament (MPs). Such disclosure shall not 
be treated as a breach of this Contract. 


The provisions of this Condition 22 shall apply during the continuance of the 
Contract and after its termination howsoever arising. 


The Parties acknowledge that, except for any Information which is exempt from 
disclosure in accordance with the provisions of the FOISA, the content of the Contract 
is not confidential information and the Supplier hereby gives its consent for the 
Purchaser to publish the Contract in its entirety to the general public (but with any 
Information that is exempt from disclosure in accordance with the FOISA redacted) 
including any changes to the Contract agreed from time to time. 


TERMINATION 


The Supplier shall notify the Purchaser in writing immediately upon the 
occurrence of any of the following events: 
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(a) where the Supplier is an individual and if a petition is presented for the 
Supplier's bankruptcy or the sequestration of the Suppliers estate or a criminal 
bankruptcy order is made against the Supplier, or the supplier is apparently 
insolvent, or makes any composition or arrangement with or for the benefit of 
creditors, or makes any conveyance or assignation for the benefit of creditors, 
or if an administrator or trustee is appointed to manage the Supplier’s affairs; or 


(b) where the Supplier is not an individual but is a firm, or a number of persons 
acting together in any capacity, if any event in (a) or (c) of this Condition 
occurs in respect of the firm or any partner in the firm or any of those persons 
or a petition is presented for the Supplier to be wound up as an unregistered 
company; or 


(c) where the Supplier is a company, if the company passes a resolution for 
winding-up of dissolution (otherwise than for the purposes of and followed by 
an amalgamation or reconstruction) or the court makes an administration 
order or a winding-up order, or the company makes a composition or 
arrangement with its creditors, or an administrator, 
administrative receiver, receiver or manager is appointed by a creditor or by the 
court or possession is taken of any of its property under the terms of a floating 
charge. 


23.2 On the occurrence of any of the events described in paragraph 23.1 or, if the Supplier 
shall have committed a material breach of this Contract and (if such breach is capable 
of remedy) shall have failed to remedy such breach within 30 days of being required by 
the Purchaser in writing to do so or, where the Supplier is an individual, if the Supplier 
shall die or be adjudged incapable of managing his or her affairs within the meaning of 
the Adults with Incapacity (Scotland) Act 2000 or the Mental Health (Care and 
Treatment) (Scotland) Act 2003, the Purchaser shall be entitled to terminate this 
Contract by notice to the Supplier with immediate effect. Thereupon, without prejudice 
to any other of the Purchaser’s rights, the Purchaser may complete the Services or 
have them completed by a third party, using for that purpose (making a fair and proper 
allowance therefor in any payment subsequently made to the Supplier) all materials, 
plant and equipment on the Premises belonging to the Supplier, andthe Purchaser 
shall not be liable to make any further payment to the Supplier until the Services have 
been completed in accordance with the requirements of the Contract, and shall be 
entitled to deduct from any amount due to the Supplier the costs thereof incurred by the 
Purchaser (including the Purchaser's own costs). If the total cost to the Purchaser 
exceeds the amount (if any) due to the Supplier, the difference shall be recoverable by 
the Purchaser from the Supplier. 


23.3 The Purchaser may terminate the Contract in the event that: 


(a) the Contract has been subject to substantial modification which would have 
required a new procurement procedure in accordance with regulation 72(9) 
(modification of contracts during their term) of The Public Contracts (Scotland) 
Regulations 2015; 


(b) the Supplier has, at the time of contract award, been in one of the situations 
referred to in regulation 58(1) (exclusion grounds) of The Public Contracts 
(Scotland) Regulations 2015, including as a result of the application of 
regulation 58(2) of those regulations, and should therefore have been 
excluded from the procurement procedure. 


23.4 The Purchaser may also terminate the Contract in the event of a failure by the Supplier 
to comply in the performance of the Services with legal obligations in the fields of 
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environmental, social and employment Law. 


23.5 The Purchaser shall be entitled to terminate this Contract by giving to the 
Supplier not less than 30 days' notice to that effect. 


23.6 Termination shallnotprejudice or affect any right of action or remedy which shall have 
accrued or shall thereupon accrue to the Purchaser and shall not affect the continued 
operation of Conditions 17 (Intellectual Property Rights) and 22 (Official Secrets Acts, 
etc.). 


24. RECOVERY OF SUMS DUE 


Wherever under the Contract any sum of money is recoverable from or payable by the 
Supplier, that sum may be deducted from any sum then due, or which at any later time may 
become due, to the Supplier under the Contract or under any other agreement or contract 
with the Purchaser or with any department agency or authority of the Crown. 


25. ASSIGNATION AND SUB-CONTRACTING 


25.1 The Supplier shall not without the written consent of the Purchaser assign the benefit 
or burden of the Contract or any part thereof. 


25.2 No sub-contracting by the Supplier shall in any way relieve the Supplier of any of 
his responsibilities under the Contract. 


25.3 Where the Supplier enters into a sub-contract must ensure that a provisionis 
included which: 

25.3.1 requires payment to be made of all sums due by the Supplier to the sub- 
contractor within a specified period not exceeding 30 days from the receipt 
of a valid invoice as defined by the sub-contract requirements and provides 
that, where the Purchaser has made payment to the Supplier in respect of 
Services and the sub- contractor’s invoice relates to such Services then, to 
that extent, the invoice must be treated as valid and, provided the Supplier 
is not exercising a right of retention or set-off in respect of a breachof 
contract by the sub-contractor or in respect of a sum otherwise due by the 
sub-contractor to the Supplier, payment must be made to the sub- 
contractor without deduction; 


25.3.2 notifies the sub-contractor that the sub-contract forms part of a larger 
contract for the benefit of the Purchaser and that should the sub- contractor 
have any difficulty in securing the timely payment of an invoice, that matter 
may be referred by the sub-contractor to the Purchaser; and 


5.3.3 in the same terms as that set out in this Condition 25.3 (including for the 
avoidance of doubt this Condition 25.3.3) subject only to modification to 
refer to the correct designation of the equivalent party as the Supplier and 
sub-contractor as the case may be. 


25.4 The Supplier shall also include in every sub-contract: 


24.4.1 aright for the Supplier to terminate that sub-contract if the relevant sub- 
contractor fails to comply in the performance of its contract with legal 
obligations in the fields of environmental, social or employment Law or if 
any of the termination events (involving substantial modification of the 
Contract, contract award despite the existence of exclusion grounds) 
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specified in Condition 23.3 occur; and 


25.4.2 arequirement that the sub-contractor includes a provision having the same 
effect as 25.4.1 in any sub-contract which it awards. 


In this Condition 25.4, ‘sub-contract’ means a contract between two or more suppliers, 
at any stage of remoteness from the Purchaser in a sub-contracting chain, made wholly 
or substantially for the purpose of performing (or contributing to the performance of) the 
whole or any part of this Contract. 


26.NOTICES 


Any notice given under or pursuant to the Contract may be sent by hand or by post or by 
registered post or by the recorded delivery service or transmitted by telex, telemessage, 
facsimile transmission or other means of telecommunication resulting in the receipt of a 
written communication in permanent form and if so sent or transmitted to the address of the 
party shown on the Purchase Order, or to such other address as the party may by notice to 
the other have substituted therefor, shall be deemed effectively given on the day when in the 
ordinary course of the means of transmission it would first be received by the addressee in 
normal business hours. 


27.COMPLIANCE WITH THE LAW ETC. 

In performing the Contract, the Supplier must comply in all respects with: 
27.1 all applicable Law; 

27.2 any applicable requirements of regulatory bodies; and 


27.3 Good Industry Practice. 


28. DISPUTE RESOLUTION 


28.1 The parties must attempt in good faith to resolve any dispute between them arising 
out of or in connection with the Contract. 


28.2 Any dispute or difference arising out of or in connection with the Contract, including 
any question regarding it existence, validity or termination which cannot be resolved 
in good faith, shall be determined by the appointment of a single arbitrator to be 
agreed between the parties, and failing agreement within 14 days after either party 
has given to the other a written request to 


concur in the appointment of an arbitrator, by an arbitrator to be appointed by the 
Scottish Arbitration Centre on the written application of either party. The seat of the 
arbitration shall be in Scotland. The language used in the arbitral proceedings shall 
be English. 


28.3 Any arbitration under 28.2 is subject to the Arbitration (Scotland) Act 2010. 


29. HEADINGS 


The headings to Conditions shall not affect their interpretation. 
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30. GOVERNING LAW 


These Conditions shall be governed by and construed in accordance with Scots Lawand the 
Supplier hereby irrevocably submits to the jurisdiction of the Scottish courts. The submission 
to such jurisdiction shall not (and shall not be construed so as to) limit the right of the 
Purchaser to take proceedings against the Supplier in any other court of competent 
jurisdiction, nor shall the taking of proceedings in any one or more jurisdictions preclude the 
taking of proceedings in any other jurisdiction, whether concurrently or not. 


31. DATA PROTECTION 


31.1 The Supplier acknowledges that any Personal Data described in the scope of 
Schedule Part 1 (Data Protection) may be Processed in connection with the Services 
under this Contract. For the purposes of any such Processing, Parties agree that the 
Supplier acts as the Data Processor and the Purchaser acts as the Data Controller. 


31.2 Both Parties agree to negotiate in good faith any such amendments to this Contract 
that may be required to ensure that both Parties meet all their obligations under Data 
Protection Laws. The provisions of this Condition 31 are without prejudice to any 
obligations and duties imposed directly on the Supplier under the Data Protection 
Laws and the Supplier hereby agrees to comply with those obligations and duties. 


31.3 The Supplier will, in conjunction with the Purchaser and in its own right and in 
respect of the Services, make all necessary preparations to ensure it will be 
compliant with the Data Protection Laws. 


31.4 The Supplier will provide the Purchaser with the contact details of its data protection 
officer or other designated individual with responsibility for data protection and 
privacy to act as the point of contact for the purpose of observing its obligations 
under the Data Protection Laws. 


31.5 The Supplier must: 


31.5.1 process Personal Data only as necessary in accordance with obligations 
under the Contract and any written instructions given by the Purchaser (which 
may be specific or of a general nature), including with regard to transfers of 
Personal Data to a Third Country other than within the European Economic 
Areaunless required to do so by European Union or domestic Lawor 
Regulatory Body to which the Supplier is subject; in which case the Supplier 
must inform the Purchaser of that legal requirement before processing unless 
prohibited by that Lawthe Personal Data only to the extent, and in such 
manner as is necessary for the performance of the Supplier’s obligations 
under this Contract or as is required by the Law; 


31.5.2 subject to Condition 31.5.1 only process or otherwise transfer any Personal 
Data in or to a Third Country other than within the European Economic Area 
with the Purchaser’s prior written consent; 


31.5.3 take all reasonable steps to ensure the reliability and integrity of any Supplier 
Personnel who have access to the Personal Data and ensure that the 
Supplier Personnel: 


(a) are aware of and comply with the Supplier’s duties under this 
Condition; 
(b) are subject to appropriate confidentiality undertakings with the 
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Supplier or the relevant Sub-contractor; 

(c) are informed of the confidential nature of the Personal Data and do not 
publish, disclose or divulge any of the Personal Data to any third party 
unless directed in writing to do so by the Purchaser or as otherwise 
permitted by this Contract; and 

(d) have undergone adequate training in the use, care, protectionand 
handling of Personal Data. 


31.5.4 implement appropriate technical and organisational measures including those 
in accordance with Article 32 of the UK GDPR to protect Personal Data 
against unauthorised or unlawful Processing and against accidental loss, 
destruction, damage, alteration or disclosure, such measures being 
appropriate to the harm which might result from any unauthorised or unlawful 
Processing accidental loss, destruction or damage to the Personal Data and 
having regard to the nature of the Personal Data which is to be protected. 


31.6 The Supplier shall not engage a sub-contractor to carry out Processing in connection 
with the Contract without prior specific or general written authorisation from the 
Purchaser. In the case of general written authorisation, the Supplier must inform the 
Purchaser of any intended changes concerning the addition or replacement of any 
other sub-contractor and give the Purchaser an opportunity to object to such changes. 


31.7 If the Supplier engages a sub-contractor for carrying out Processing activities on behalf 
of the Purchaser, the Supplier must ensure that same data protection obligations as 
set out in this Contract are imposed on the sub-contractor by way of a written and 
legally binding contract, in particular providing sufficient guarantees to implement 
appropriate technical and organisational measures. The Supplier shall remain fully 
liable to the Purchaser for the performance of the sub-contractor’s performance of the 
obligations. 


31.8 The Supplier must provide to the Purchaser reasonable assistance including by such 
technical and organisational measures as may be appropriate in complying with Articles 12- 23 
of the UK GDPR. The Supplier must notify the Purchaser if it: 
(a) receives a Data Subject Access Request (or purported Data Subject Access 
Request); 


(b) receives a request to rectify, block or erase any Personal Data; 


(c) receives any other request, complaint or communication relating to either Party's 
obligations under the Data Protection Laws; 


(d) receives any communication from the Information Commissioner or any other 
regulatory authority in connection with Personal Data processed under this Contract; 
or 


(e) receives a request from any third Party for disclosure of Personal Data where 
compliance with such request is required or purported to be required by Lawor 
regulatory order; 


and such notification must take place as soon as is possible but in any event within 3 
business days of receipt of the request or any other period as agreed in writing with the 
Purchaser from time to time. 


31.9 Taking into account the nature of the Processing and the information available, the 
Supplier must assist the Purchaser in complying with the Purchaser’s obligations 
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concerning the security of Personal Data, reporting requirements for data breaches, 
data protection impact assessments and prior consultations in accordance with 
Articles 32 to 36 of the UK GDPR. These obligations include: 


(a) ensuring an appropriate level of protection through technical and organisational 
measures that take into account the circumstances and purposes of the 
processing as well as the projected probability and severity of a possible 
infringement of the Lawas a result of security vulnerabilities and that enable an 
immediate detection of relevant infringement events. 


(b) notifying a Personal Data breach to the Purchaser without undue delay and in 
any event no later than 24 hours after becoming aware of a Personal Data 
breach; 


(c) assisting the Purchaser with communication of a Personal Data breach to a 
Data Subject; 


(d) supporting the Purchaser with preparation of a data protection impact 
assessment; 


(e) supporting the Purchaser with regard to prior consultation of the Information 
Commissioner. 


31.10 At the end of the provision of Services relating to processing the Supplier the Supplier 
must, on written instruction of the Purchaser, delete or return to the Purchaser all 
Personal Data and delete existing copies unless EU or domestic Lawrequires 
storage of the Personal Data. 


31.11 The Supplier must: 


(a) provide such information as is necessary to enable the Purchaser to satisfy 
itself of the Supplier's compliance with this Condition 31; 


(b) allow the Purchaser, its employees, auditors, authorised agents or advisers 
reasonable access to any relevant premises, during normal business hours, 
to inspect the procedures, measures and records referred to in this Condition 
31 and contribute as is reasonable to those audits and inspections; 


(c) inform the Purchaser if in its opinion an instruction from the Purchaser 
infringes any obligation under the Data Protection Laws. 


31.12 The Supplier must maintain written records including in electronic form, of all 
Processing activities carried out in performance of the Services or otherwise on 
behalf of the Purchaser containing the information set out in Article 30(2) of the 
UK GDPR. 


31.13 If requested, the Supplier must make such records referred to Condition 31.12 
available to the Information Commissioner on request and co-operate with the 
Information Commissioner in the performance of its tasks. 


31.14 Parties acknowedge that the inspecting party will use reasonable endeavours to carry 
out any audit or inspection under Condition 31.13 with minimum disruption to the 
Supplier’s day to day business. 
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SUPPLEMENTARY NOTICE 


1. PROTECTING THE ENVIRONMENT 

Suppliers to the National Records of Scotland are requested to satisfy themselves 
that no product will be supplied or used in the Supply of Goods to the Purchaser 
which will endanger the health of the consumers or others, will cause significant 
damage to the environment during manufacture, use, or disposal, which consumes 
a disproportionate amount of energy during manufacture, use, or disposal, which 
causes unnecessary waste because of over-packaging or because of an unusually 
short shelf life, or which contains materials derived from threatened species or 
threatened environments. 


2. LATE PAYMENT OF INVOICES 

Suppliers to the National Records of Scotland are requested to address complaints 
regarding late payment of invoices to, in the first instance, the addressee of the 
invoice and, in the second instance to the Chief Purchasing/Procurement Officer, 
Ladywell House, Ladywell Road, Edinburgh, EH12 7TF. This procedure is 
suggested as the best practical way of ensuring problems of late payment are 
resolved, and is not intended to interfere with Suppliers’ legal rights. 





THIS NOTICE DOES NOT FORM PART OF THE CONDITIONS OF CONTRACT 


SCHEDULES 


The following two schedules may be required to form part of the contract. 


PART 1 DATA PROTECTION 
PART 2 CYBER SECURITY REQUIREMENTS 


Where either, or both, of these schedules are required it will be clearly stated by the 
Purchaser in the tender documents: 
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This is the Schedule referred to in the foregoing Conditions of Contract for the Purchase 
of Goods between [PURCHASER NAME] and 


SCHEDULE 
PART 1 
DATA PROTECTION 
Data Processing provision as required by Article 28(3) UK GDPR. 


This Schedule Part 1 includes certain details of the Processing of Personal Data in connection 
with the supply of Goods under this Contract: 


The obligations and rights of the Purchaser as the Data Controller are set out in Condition 31 of 
the Contract. 
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This is the Schedule referred to in the foregoing Conditions of Contract for the Purchase 
of Goods between [PURCHASER NAME] and 


SCHEDULE PART 2 
CYBER SECURITY REQUIREMENTS 


Drafting notes: 
e Please note that this Schedule Part 2 including the Annex are optional. The Purchaser may choose to incorporate these in the 


Contract at its discretion. 
° Text in red requiresto be amended/updated by the Purchaser to reflect the specificcircumstancesof the Contract. 





1. DEFINITIONS 
1.1. The defined terms used in this Schedule Part 2 shall have the following meanings: 


[“Cyber Implementation Plan” means the cyber implementation plan set out in Section B 
(Cyber Implementation Plan)] of the Annex to Schedule Part 2 (Cyber Security 
Requirements);] 


included. Otherwise it may be removed. 





“Cyber Security Incident” means any thing, event, act or omission which gives, or may 
give, rise to: 


(i) unauthorised access to any information system, data or electronic communications 
network (including breach of an applicable security policy); 

(ii) reduced integrity of an information system, data or electronic communications 
network; 

(iii) unauthorised use of any information system or electronic communications network 
for the processing (including storing) of data; 

(iv) disruption or change of the operation (including, but not limited to, takeover of 
control, malicious disruption and/or denial of service) of an information system or electronic 
communications network; 

(v) unauthorised changes to firmware, software or hardware; 

(vi) unauthorised destruction, damage, deletion or alteration of data residing in an 
information system or electronic communications network; 

(vii) | removal or limiting the availability of, or possibility to use, data residing in an 
information system or electronic communications network; 

(viii) the appropriation, publication, dissemination or any other use of data by persons 
unauthorised to do so; or 

(ix) a breach of the Computer Misuse Act 1990, the Network and Information Sy stems 
Regulations 2018, the Data Protection Laws, the Privacy and Electronic Communications 
(EC Directive) Regulations 2003, the Communications Act 2003, the Official Secrets Act 
1911 to 1989, or any other applicable legal requirements in connection with cybersecurity 
and/or privacy 


in connection with the Goods and/or the Contract; 


Drafting note: Please note that the Privacy and Electronic Communications (EC Directive) Regulations 2003 are planned to be 





replaced with new legislation in the future. 


“Cyber Security Requirements” means the Purchaser's requirements in connection with cyber 
security as set out in Section A (Cyber Security Requirements [and Section B ( Cyber 
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Implementation Plan)| of the Annex to this Schedule Part 2 (Cyber Security Requirements), [the 
Purchase Order, paragraph[ ] ofthe tender documentation and [ ] of the Contract]; 


Drafting note: 
° The Purchaser should amendthe above definition asappropriate. 
o Reference to Cyber Implementation Plan may not be required where a Cyber Implementation Plan will not be 
incorporated intothe contract. 


o If the Purchase Order, the Contract or tender documentation include any additional requirements relevant to cyber 
security, the Purchaser may wish to reference these here. The Purchaser may wish to refer to specific paragraphs 
within the Purchase Order and/or the tender documentation and/or other part of the Contract. 





2. CYBER SECURITY REQUIREM ENTS 
2.1 The Supplier shall comply with the Cyber Security Requirements and shall implement and 
maintain all security measures: 
(a) as may be required under applicable laws (including but not limited to the 
Network and Information Systems Regulations 2018); 


(b) to enable it to discharge its obligations under this Schedule Part 2 (Cyber 
Security Requirements); and 


(c) to ensure there are no Cyber Security Incidents 


in all cases to the Purchaser’s reasonable satisfaction and in accordance with Good Industry 
Practice. 


2.2 The Supplier shall notify the Purchaser immediately it knows or believes that a Cyber Security 
Incident has or may have taken place and shall provide full details of the incident and any 
mitigation measures already taken and intended to be taken by it and (where applicable) any 
mitigation measures recommended by it to be taken by the Purchaser. 


2.3 If the Supplier fails to comply with the provisions of paragraphs 2.1 and/or 2.2, the Purchaser 
may take any action it considers appropriate or necessary (and the Supplier shall comply with 
the Purchaser’s requests in this respect). 
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ANNEX 


Drafting note: ThisAnnex isnotrequired where Schedule Part 2 isnotincorporated into the Contract, atthe Purchaser's sole option. 





The cyber security requirements applicable to the Contract are set out in this Annex to Schedule 
Part 2. Section A (Cyber Security Requirements) includes the Purchaser’s requirements in 
connection with cyber security [and Section B (Cyber Implementation Plan) sets out further details 
on how the Supplier will meet such requirements]. 


Drafting note: The Purchaser should retainthe reference to Section B above if: 

e the Scottish Cyber Assessment Service (SCAS) tool hasbeen used in connection withthe contract; and 

e the Supplier and the Purchaser have agreed a Cyber Implementation Plan in conjunction with the SAQ report generated by 
the SCAS tool 





Section A: Cyber Security Requirements 


Overview of requirements: 


[Cyber risk profile] ° 
[Additional questions for [Cloud security] 
management of specific [Personal data security] 


[Certification requested for 
assurance purposes] 


[Cyber Essentials or equivalent] 
[Cyber Essentials Plus or equivalent] 
[IASME Gold or equivalent] 
[ISO27001 or equivalent] 


required] required] 

management approach] e [Cyber Implementation Plans accepted 
Drafting note: If the SCAS tool isused, insert information inthe above table that summ arisesthe Purchaser’s cyber security 
requirements. Cyber security requirements set out in this Schedule Part 2 and the Annex should not deviate from the 


requirementsset out in any part of the tender documentation. An exampleisprovided above. The Purchaser should checkand 
amend fieldsand entriesto fit itscontract. 





The Supplier shall meet the following requirements: 


Drafting note: If the SCAS tool isused, the Purchaser's requirementsfrom SCAS require to be incorporated into the 

contract. Two optionsto achieve thisinclude the following: 

e OPTION 1: Either cut and paste or append the full “SAQ Responses’ section of the Suppliers SAQ Report, which sets 
out all questions asked of bidding suppliers in the SCAS SAQ (i.e. the Purchaser’s requirements), and the Suppliers 
responses. Please also include details of subsequent clarificationswith the Supplier, if applicable. 

OPTION 2: provide the following information (asset out in the table below) from the SCAS tool. 


The Purchaser should choose the option appropriate to the contract, Option 1 being preferable from the pointof view of 
clarity. In case of Option 2, the Purchaser should retain recordsof its requirementsand the Suppliersresponses. The 
Purchaser should also retain all metadata / other information (such as e-mail alerts) generated by SCAS relating to 


completion of SAQsby it and the Supplier. 


The cyber security e [Insert reference number for contract] 
requirements for the 
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Contract, and the 
Supplier’s responses, are 
set out in the Scottish 
Cyber Assessment 
Service under the 
following reference 
number: 


Time that the Supplier e [Insert the time and date at which the Supplier 
submitted its responses submitted its response to the SAQ via SCAS] 
to the above cyber 

security requirements via 

SCAS: 


Details of any subsequent | e [Insert details of | any subsequent 
clarifications: clarifications] 


Drafting note: If SCAS is NOT used, the Purchaser should insert applicable cyber security requirementshere. Thismay include 
extracting / making reference to relevantpartsof the Purchase Order and/or other partsof the Contract and/or the tender 
documentation. Cyber security requirements set out in this Schedule Part 2 and the Annex should not deviate from the 
requirementsset out in any part of the tender documentation. 





[Section B: Cyber Implementation Plan 


Drafting note: If SCAS is used, and a Cyber Implementation Plan hasbeen submitted by the Supplier and agreed by the 
Purchaser, the Purchaser should include thissection B and the text below (if not, thissection B may be deleted). Ensure that the 
date or contract phase isamended to align with the requirements communicatedin the Purchase Order and/or any other part of 
the Contract and/or the tender documentation andthe SCAS tool. 


The Purchaser should insert below the frequency of review of the Cyber Implementation Plan with the Supplier. Thisshould match 
any frequency indicated inthe Purchase Order and/or elsewhere inthe Contract and/or the tender documentation. 
The template Cyber Implementation Plan may be found from the following address: https://www.gov.scot/publications/cyber- 


resilience-supply-chain-guidance 





The Supplier shall followthe agreed Cyber Implementation Plan to meet the requirements of 
Section A by no later than the date(s) set out in the Cyber Implementation Plan. The parties shall 
review the Supplier’s progress on the Cyber Implementation Plan regularly every [4 weeks]. If 
the Supplier fails to meet the commitments set out in the Cyber Implementation Plan, this shall 
be considered to be a material breach of the Contract for the purposes of Condition 23.2 
(Termination). 


Drafting note: Insert orappend the agreed Cyber Implementation Plan below. Thetemplate Cyber Implementation Plan may be 


found from the following address: https://www. gov. scot/publications/cyber-resilience-supply-chain-guidance 
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